08 - Ethernet Switch Configuration

By Muhammad Asghar Khan

Reference: CCENT/CCNA ICND1 Official Exam Certification Guide By Wendell Odom

1/2

Agenda

Configure Topology in Packet Tracer Configuration Features Common in Routers & Switches

Securing the CLI

Configuring Simple Password Security for Console & Telnet Access Configuring Usernames & SSH Password Encryption Enable Mode Passwords Banners
www.asghars.blogspot.com

Customizing CLI Connection

2/2

Agenda

History Buffer Configuring Syslog Messages Configuring Inactivity Timeout

LAN Switch Configuration

Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces

www.asghars.blogspot.com

1/1

Configure Topology in Packet Tracer

Configure the topology for practice as shown below

Add two PDUs; One for PC0 as source & PC1 a Destination, Similarly One for PC1 as source & as destination

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

1/17

Securing the CLI

Configuring security on switch or router requires the following steps:

Configuring Password for Enable Mode Configuring Password for Console Access Configuring Password for Telnet Access Configuring Usernames & SSH Password Encryption Enable Mode Passwords

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

2/17

Configuring Password for Enable Mode

By default the enable command allows the console users to enter the enable mode without password To protect the enable mode use the enable secret global configuration command
Move from EXEC to enable mode Move from enable to global config mode

Set password , pwd for enable mode

Configuring Password for Console Access

Move to line config mode (subconfig mode) to configure console Set password , pwd for console mode

www.asghars.blogspot.com Prompt for password / authentication

Configuration Features Common in Routers & Switches

3/17

Configuring Password for Telnet Access

Move to line config mode for virtual terminal Set password , cis for telnet access Prompt for password / authentication

You can verify the previous configuration by using the show running-config

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

4/17

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

5/17

Configuring Usernames & SSH

SSH is preferred method for remote login to switches or routers Telnet sends all data, including passwords as clear text, while SSH provides the mechanism to encrypt the data sent b/w SSH client and the SHH server SSH can use one of two user authentication methods:
Username & Password configured on the switch Username & Password configured on external server called Authentication, Authorization & Accounting (AAA) server

Here we will use the local configuration on the switch

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

6/17

Step 1: both hostname & domain name is required for encryption keys

Step 2: Generate encryption key Step 3: Max idle timer Step 4: Max failed attempts

Step 5: Add username & password

Step 6: Connect vty lines Step 7: Use local authentication Step 8: finally tell switch to accept both Telnet & SSH

10

www.asghars.blogspot.com

Configuration Features Common in Routers & 7/17 Switches Step 5: Generate a public & private
key pair as well as shared encryption key

Display RSA key pair information

11

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

8/17

Password Encryption

The password and the username commands store the password in clear text in running-config file The enable secret command only hides the password value To avoid password vulnerability in printed version of the configuration file, you can encrypt the password using the service password-encryption global configuration command If no service password-encryption command is used later, the password remain encrypted, until it is changed ; at which point it shown up in clear text
www.asghars.blogspot.com

12

Configuration Features Common in Routers & Switches

9/17

Example shows the password encryption process

List running configuration, beginning with first line which contains text line vty

Encrypt the password

Passwords are encrypted, 7 means the type of underlying encryption algorithm

13

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

10/17

Remove the password encryption service

Passwords still encrypted

Change password for vty

14

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

Password encryption is removed

11/17

Enable Mode Passwords

The enable secret command use the MD5 hash to hide the password MD5 is much more secure than the encryption used for service password-encryption command If enable password and enable secret commands are used; the password set in enable secret is required to be entered
www.asghars.blogspot.com

15

Configuration Features Common in Routers & Switches

12/17

Example shows the enable secret and encryption process

Use the enable secret, rather than the enable password

MD5 hash value for the password Delete the enable secret password

16

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

13/17

Customizing CLI Connection

The following configuration settings affect the behavior of the CLI connection from the console and vty (Telnet & SSH)

Banners History Buffer Configuring Syslog Messages Configuring Inactivity Timeout

17

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

14/17

Banners Banner is simply some text that appears on the screen for the user Cisco routers & switches can display variety of banners The three most popular banners are:
Message

18

of the Day (MOTD): Show before login prompt. Used for temporary messages Login: Shown after the MOTD but before the login prompt. Used for permanent messages Exec: Shown after the login prompt. Used to supply information that should be hidden from unauthorized users
www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

15/17

History Buffer

The last several commands are saved in the history buffer Commands related to history buffer are:
List commands currently held in the buffer

q is used as beginning and delimiter character

From line config mode, set the default number of commands for the user(s) of console or vty lines

From EXEC mode, the user can set the size of history buffer for his or her single connection
19 www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

16/17

Configuring Syslog Messages

Switch or router puts syslog messages on the consoles screen at any time, including right in the middle of a command you are entering To make using the console a little easier, you can tell the switch to display syslog messages only at convenient times To do this just configure the logging synchronous console line command

20

www.asghars.blogspot.com

Configuration Features Common in Routers & Switches

17/17

Configuring Inactivity Timeout

By default, the switch or router automatically disconnects users after 5 minutes of inactivity To set different inactivity timer, you can use the exectimeout line subcommand If the timeout is set to 0 minutes and 0 seconds, the router never times out the console connection

21

www.asghars.blogspot.com

1/21

LAN Switch Configuration

The configurations discussed here will only apply to switches and not routers LAN switch configurations covered here are:

Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces

22

www.asghars.blogspot.com

2/21

LAN Switch Configuration

Switch IP Configuration

To allow Telnet, SSH, Simple Network Management Protocol (SNMP) & Cisco Device Manager (CDM) to work properly, the switch needs an IP address Switches dont need an IP address to forward Ethernet frames You can configure a switch with its IP address/mask/gateway or the switch can dynamically learn this using DHCP IOS-based switch uses special virtual interface called the VLAN 1 interface to configure IP address & mask This interface plays the same role as an Ethernet interface on PC
www.asghars.blogspot.com

23

3/21

LAN Switch Configuration

Example shows the static IP address configuration

Enter VLAN 1 configuration mode Assign IP address & mask using interface subcommand Enable VLAN1 interface using no shutdown subcommand

sys log messages

Using global config command add the default gateway

24 www.asghars.blogspot.com

4/21

LAN Switch Configuration

To administratively disable an interface, use the shutdown interface subcommand You can verify this by using show runningconfig

25

www.asghars.blogspot.com

5/21

LAN Switch Configuration

To configure the switch as a DHCP client use the Enter VLAN 1 configuration following steps mode
Instead of assign IP address & mask use the dhcp command No need to define the default gateway

To verify it, we cant use the show runningconfig command, instead we have to use the show dhcp lease command
www.asghars.blogspot.com

26

6/21

LAN Switch Configuration

If you forget to issue the no shutdown command, the VLAN 1 interface remains in its default shutdown state You can use the show interfaces vlan1 command to check the state and ip address assigned by DHCP Interface refers to the physical ports used to forward data to and from other devices Interfaces are named with the convention: Media-type slot#/port# Where media type is Ethernet, FastEthernet, GigabitEthernet, Serial, Token-ring, or other media types
www.asghars.blogspot.com

Interface Configuration

27

7/21

LAN Switch Configuration

Slot numbers are only applicable for routers that provide slots into which you can install modules (these are called modular routers) Port number refers to the port within the module For example; fastethernet 0/0 (module 0/ port 0) Figure shows the slot numbering and interface ports
www.asghars.blogspot.com

28

8/21

LAN Switch Configuration

IOS uses the interface subcommands to configure several settings for each interface Example shows the interface sub commands duplex, speed and description Enter interface sub for configuration mode
port 1

Specify duplex mode of operation for this interface

Specify speed for this interface Description of what an interface does allows specification of a range of interfaces to which subsequent commands are applied
29 www.asghars.blogspot.com

9/21

LAN Switch Configuration

If duplex & speed command is not configured an interface uses the auto-negotiation (a-full & a-100) You can use the show running-config or show interfaces status

30

www.asghars.blogspot.com

10/21

LAN Switch Configuration

Port Security

Engineer can use port security to restrict an interface so that only the expected devices can use it When an inappropriate device attempts to send frames to the switch interface, the switch can issue informational messages, discard frames Port security is disabled by default Example on next slide shows port security configuration

31

www.asghars.blogspot.com

11/21

LAN Switch Configuration

Enter interface sub configuration mode for port number 2

Make interface as access port Two types of port i.e access & trunk Access ports are what you would typically plug a server, PC/laptop, printer, etc into. A device plugged into this port will only be able to communicate with other devices that are in the same VLAN Trunk ports are what you would typically plug a router into for inter-VLAN routing, or another switch in order to "share" VLANs between switches

32

www.asghars.blogspot.com

12/21

LAN Switch Configuration

Determine MAC address of the required interface. do command allow to run privileged commands in config mode

Specify MAC address (es) allowed to send frames into this interface, use this multiple times to define more than on address. Alternaetly, use switchport port-security macaddress sticky command, to learn & configure the MAC addresses from the first frame sent to the switch
33 www.asghars.blogspot.com

13/21

LAN Switch Configuration

Verify the previous command

Define action when frame is received from MAC address other than the defined address, shutdown means shut down the port if there is a security violation.

Enable port security on an interface, opposite is no switchport portsecurity Specify maximum number of allowed MAC addresses to be associated with this interface

Make changes permanent

34 www.asghars.blogspot.com

14/21

LAN Switch Configuration

The port status is secureup

Change ports for PCs as shown & check port status again

35

The port status is changed to secureshutdown, means the interface has been disabled. Violation occurs bcz PC1 has different MAC address than that of PC0, www.asghars.blogspot.com also the security violation count shows 1

15/21

LAN Switch Configuration

VLAN Configuration

Interfaces are considered to be either access interfaces or trunk interfaces Access interfaces send & receive traffic only in a single VLAN, called the access VLAN Trunking interfaces send & receive traffic in multiple VLANs VLAN trunking is covered in ICND2 exam course, here we will discuss the access VLAN By default, Cisco switches already have VLAN1 configured and all interfaces by default assigned to VLAN1
www.asghars.blogspot.com

36

16/21

LAN Switch Configuration

To add another VLAN & assign access interfaces consider the following example

VLAN1

Design network topology as shown

Fin_vlan

37

Check summary of the VLAN information, it shows the default five undeletable VLANs, with all interfaces www.asghars.blogspot.comVLAN1 assigned to

17/21

LAN Switch Configuration

VLAN command defines a VLAN with a unique id 2 and puts the switch into VLAN configuration mode. Name this VLAN fin_vlan

Exit from the vlan configuration mode Select multiple interfaces to execute commands at the same time on these interfaces Set the VLAN for interfaces, access means that interfaces are already in access mode Verify the setting by using the show command

38

www.asghars.blogspot.com

18/21

LAN Switch Configuration

Check summary of the VLAN information, it now shows the entry for our newly VLAN, with two interfaces assigned to it

39

www.asghars.blogspot.com

19/21

LAN Switch Configuration

Securing Unused Interfaces By default the interface is configured in no shutdown state with speed & duplex are configured as auto negotiate By default all interfaces are assigned to VLAN1, and each interface by default use the VLAN features like VLAN trunking & VLAN Trunking Protocol (VTP) which are covered in ICND2 These default configurations make switches vulnerable to security threats
40 www.asghars.blogspot.com

20/21

LAN Switch Configuration

The following commands shows how to override the default settings and make the unused port more Enter in ports configuration mode secure
Disable the interfaces

Change mode to access ports, to avoid VLAN trunking & VTP Assign ports to VLAN, usually VLAN which is not used
41 www.asghars.blogspot.com

21/21

LAN Switch Configuration

Verify the configuration by using the show command

42

www.asghars.blogspot.com